The Michigan fight song and four other reasons to avoid Internet voting

Op-ed: Conducting elections online would be a security and privacy nightmare.

In a Monday article, we described the security and reliability problems that have undermined public confidence in electronic voting machines within the United States. We described how several states started scrapping paperless voting machines in favor of paper-based alternatives.

Even more ambitious than the use of electronic voting machines in polling places would be to do away with the polling places altogether, conducting elections over the Internet. We didn't discuss this option in our previous piece because Internet voting has yet to catch on in the United States, but the topic crops up regularly in discussions (including in the Ars forums). So we thought it would be worthwhile to discuss five reasons it would be a big mistake to allow Americans to cast their votes online.

Hacked servers

In 2010, election officials in Washington, DC, provided a good case study of the dangers in Internet voting. They unveiled a pilot project to let members of the military cast their votes online. During a test run, they invited security researchers to probe the system for vulnerabilities. The result: the election website was hacked to play the University of Michigan fight song after voters cast their ballots. Of course, the same tactics could be used to arbitrarily change the election results. In a follow-up report, Michigan Prof. Alex Halderman explained how his team found a "small error in file-extension handling" that "left the system open to exploitation."

Obviously, the specific vulnerability Halderman's team discovered can be fixed. But building a secure website is an inherently difficult problem. "If this particular problem had not existed, I’m confident that we would have found another way to attack the system," Halderman wrote. And that's a problem because there are many parties who might have a vested interest in compromising American elections. For example, foreign governments might be willing to spend significant sums of money to engineer the defeat of members of Congress who they saw as hostile to their interests.

This problem is exacerbated by the decentralized structure of America's electoral process. Decisions about voting technologies are made at the state, and often even the county, level. Even if the largest and most tech-savvy jurisdictions could build a hack-proof voting system—far from certainty—smaller jurisdictions lack the resources and expertise to do so.

Client-side malware

Even assuming election officials could properly lock down their servers, their security woes wouldn't be over. They would also have to worry about security on the millions of client machines that voters would use to cast their votes.

At any given time, hundreds of thousands, if not millions, of American PCs are members of botnets thanks to compromise by malware. Right now, hackers commandeer peoples' computers for nefarious activities like sending spam and participating in denial-of-service attacks.

In a world of widespread Internet voting, the same tactics could be used to compromise elections. Malware could silently monitor a user's Web browsing on Election Day, silently intercept the user's vote and invisibly switch it to the malware author's chosen candidate.

Authentication

Deterring in-person voter fraud is relatively easy. Voters who attempt to cast a vote in person place themselves at risk of prosecution if their fraud is discovered. Also, there's an inherent limit to the number of precincts any single person can visit to cast fraudulent votes on Election Day. In contrast, a single hacker who figures out how to impersonate other voters could potentially cast thousands or even millions of fraudulent votes. That means technical authentication mechanisms would bear a much bigger share of the security burden in an online election system.

America simply doesn't have the kind of authentication infrastructure necessary to support secure Internet voting. For example, driver's licenses are one of the most commonly-used methods for in-person identification. Some states allow voters to change their voter registration online using their driver's license number as an identifier. But security researchers have demonstrated that driver's license numbers are not a secure identifier, since they can be derived from other information about the voter (such as his name and date of birth).

Fortunately, these websites only handled voter registration, not voting itself. But a poorly-designed online voting scheme could be vulnerable to similar attacks, with devastating consequences.

Coercion and bribery

A key principle of modern voting systems is ballot secrecy. Polling places are designed to preserve the secrecy of any particular voter's ballot in order to prevent bribery and coercion of voters. If your boss threatens to fire you unless you vote for his preferred candidate, the secret ballot ensures that you can vote for whoever you want. If necessary, you can lie about it afterwards.

Online voting undermines ballot secrecy. Because voters can vote from anywhere, they can be coerced or bribed into voting with a third party looking over their shoulder.

Traditional paper voting techniques also keep voters' ballots secret from pollworkers themselves. This could be important in jurisdictions where voters might suspect, justifiably or otherwise, that election officials themselves are corrupt. It would be difficult to preserve this characteristic of verifiable anonymity in an online voting setting. Logging into an online voting site will necessarily require presenting credentials that could be tied back to a voter's real-world identity. And while election officials can claim they don't keep records of who cast which votes, it would be hard to design a voting system that allows the voter to verify that promise.

It's worth noting that paper absentee ballots expose voters to the same kinds of coercion risks. This is a key reason that many voting experts are critical of states such as Oregon and Washington that conduct their elections by mail, as well as other states that allow absentee voting on demand. For example, Miami-Dade police recently "arrested two boleteros, or ballot-brokers, on charges of altering ballots of elderly or disabled voters." The Miami Heraldreports that "absentee-ballot fraud is nothing new, particularly in Miami-Dade, where two local elections were overturned in the 1990s because of phony and forged absentee ballots. In 1976, local elections officials tossed out piles of suspicious absentee ballots cast at Miami nursing homes."

Usability problems

We have no doubt most Ars readers would find Internet voting to be a straightforward and user-friendly process. But not all voters are so tech-savvy. Some elderly voters may have trouble finding the online voting site, may not know they have to click the "submit" button after clicking their choices, may get confused by error messages, and so forth. Traditional paper ballots have a comparatively straightforward user interface, and there are always pollworkers on hand to explain the process to voters if they get confused. Paper ballots certainly aren't perfect, but for many voters they're likely to be the least confusing option.

Of course, technological progress may eventually solve some of these problems, so it would be foolish to say that Internet voting will never be a good idea. But right now, we are nowhere close to being able to conduct secure, reliable, private, or user-friendly elections over the Internet. Physically traveling to a polling place to fill out a paper ballot remains the safest, cutting-edge method for choosing our leaders.

Timothy B. Lee
Timothy covers tech policy for Ars, with a particular focus on patent and copyright law, privacy, free speech, and open government. His writing has appeared in Slate, Reason, Wired, and the New York Times. Emailtimothy.lee@arstechnica.com//Twitter@binarybits